b'    SECURITY OF PERSONNEL\n          DATA FILES\n\n                   EXECUTIVE SUMMARY\nBased on a request from the House Subcommittee on Oversight and Investigations\n(Subcommittee) of the Committee on Financial Services, we reviewed the controls\nover personnel data files and documentation. We found that the Commission\ngenerally complied with Office of Personnel Management (OPM) guidance regarding\nfile organization, although controls over the storage and retrieval of files and the\nfiling of personnel records can be improved, as described below.\n\n\n\n                  SCOPE AND OBJECTIVE\nOur objective was to evaluate the adequacy of controls over official personnel files\nand personnel documentation. OPM guidelines specify how these files are to be\nmaintained.\nDuring the review, we interviewed staff in the Office of Administrative and\nPersonnel Management, identified and tested management controls, and reviewed a\nstatistical sample of 45 official personnel files, among other procedures. The audit\nwas performed from May to June 2001 in accordance with generally accepted\ngovernment auditing standards.\n\n\n\n                            BACKGROUND\nThe Office of Administrative and Personnel Management (OAPM) maintains the\nofficial personnel file (OPF, SF-66) and related personnel documentation. This file,\nwhich is maintained for every employee, documents significant events during an\nemployee\xe2\x80\x99s federal employment (e.g., appointment, promotion, transfer, separation).\nThe folder is in the custody of the employing agency (the Commission), but the Office\nof Personnel Management owns it.\nOPM has established security requirements and retention standards for the\npermanent records in the file. According to the guidance, agencies should secure\npersonnel records against unauthorized access by keeping them in locked metal file\ncabinets or in a secure room.\n\x0c                                                                                                  2\n\n\n\n\nOPM categorizes personnel file documents as either long term or temporary. Long-\nterm records such as the Notification of Personnel Action (SF-50) protect the legal\nand financial rights of the Government and the employee. They remain in the file\nfor the life of the folder, usually 115 years from the employee\xe2\x80\x99s date of birth.\nPersonnel actions are processed through the Department of Interior\xe2\x80\x99s (DOI) Federal\nPersonnel and Payroll System (FPPS). 1\nTemporary records include offer letters, requests for personnel actions (SF-52), and\nemployee address forms. These records are discarded when an employee transfers to\nanother agency or leaves federal service.\nOPM procedures require permanent documents to be placed in order by effective\ndate on the file\xe2\x80\x99s right side. Temporary documents are placed on the left side of the\nfile. The cover of the file lists the employee\xe2\x80\x99s name, social security number, and date\nof birth.\nA recent audit by the Department of Commerce (DOC) Office of Inspector General\nfound that many forms documenting personnel actions were not in the DOC\nemployees\xe2\x80\x99 personnel files and that a number of the files could not be located. In\nresponse, the House Subcommittee asked our office and others to perform a similar\nreview of the controls over personnel files and documents.\n\n\n\n                                  AUDIT RESULTS\nWe found that the Commission generally complied with OPM guidance regarding\nfile organization. The cover contained the required information, and permanent and\ntemporary documents were on the correct side.\nAs described below, we identified improvements to the security of files, use of sign-\nout cards, and the filing of personnel documents.\n\n\nFILE ROOM SECURITY\nThe OAPM file room is locked at night, but not during the day. Personnel files are\nmaintained in an unlocked power file within the room, which also contains assorted\npersonnel forms and a paper shredder.\nAccording to OAPM, personnel assistants assigned to the file room closely monitor\nall activity in the room. Only the assistants are supposed to use the shredder.\nHowever, if the assistants leave the room, personnel files could be taken without a\ncharge card being completed.\nOAPM indicated that it would place a sign near the file room door indicating that\nonly OAPM staff are allowed in the room. It will notify its staff that only the\npersonnel assistants may use the shredder.\n\n\n1   The Commission contracts with DOI for certain personnel and payroll services.\n\n\n\nSECURITY OF PERSONNEL DATA FILES--(AUDIT 338)                                       AUGUST 13, 2001\n\x0c                                                                                                                3\n\n\n\n           Recommendation A\n           To further enhance security, OAPM should require the assistants to lock the\n           file room whenever it is unattended.\n\n\nSIGN-OUT CARDS\nOAPM procedures require completion of a sign-out card when staff remove a\npersonnel file. The sign-out card remains in the power file cabinet until the file is\nreturned.\nOf our representative sample of 45 files, one of the files was not available at the time\nof our test, and no sign-out card was in the cabinet. Without a sign-out card, the\nlocation of the file could not be readily determined. During a subsequent check, we\nfound that the missing folder had been returned. 2\nWe also identified one instance in which an employee signed out a file for several\nmonths, reducing file security. An OAPM personnel specialist also indicated that\nsometimes several staff used a signed out personnel file, thereby reducing\naccountability.\n\n           Recommendation B\n           OAPM should remind its staff to complete a sign-out card whenever a file is\n           removed from the file room; to promptly return personnel files to the file\n           room; and to avoid sharing signed-out files.\n\n           Response: OAPM indicated that it would notify its staff of the sign-out\n           procedures for OPFs.\n\n           Recommendation C\n           OAPM should periodically review sign-out cards to verify that files are being\n           returned promptly.\n           Response: OAPM indicated that it would require the personnel assistants to\n           file sign-out cards in a box. The assistants will check the box daily, and\n           follow-up with any OAPM staff having OPFs for more than two weeks.\n\n\nFILING OF PERSONNEL DOCUMENTATION\nTo test filing of personnel documentation, we selected a representative sample of 308\npersonnel action forms (SF-50s) processed by FPPS after January 2, 1999. The\nforms related to our sample of 45 personnel files.\nA total of seven forms (approximately 2%), which were dated about four months\nprior to our test, had not yet been filed.\n\n\n2   In an ongoing audit of controls over staff background investigations, we similarly found one file missing\n     without a sign-out card.\n\n\n\nSECURITY OF PERSONNEL DATA FILES--(AUDIT 338)                                            AUGUST 13, 2001\n\x0c                                                                                      4\n\n\n\n      Recommendation D\n      OAPM should develop review procedures to ensure that personnel\n      documentation is timely filed.\n      Response: OAPM indicated that the personnel assistant will be required to\n      retrieve the OPF to process each personnel action, and will file the SF-50 in\n      the OPF at that time. When a large batch of SF-50s is processed, the\n      assistants will file all personnel action forms within two weeks, with\n      assistance from other OAPM staff.\n\n\nGUIDANCE ON TEMPORARY RECORDS\nAs stated in the Background, OPM has developed retention standards for permanent\npersonnel records. The employing agency is responsible for developing retention\nstandards for its temporary records. The Commission has not yet developed\nguidance on this issue, which would help ensure consistent treatment of these\nrecords.\n\n      Recommendation E\n      OAPM should develop guidance on retention standards for temporary\n      personnel records.\n      Response: OAPM indicated that temporary records are purged when\n      employees separate. Temporary records include employment offer letters,\n      checklists of personnel forms completed and returned, receipt of redeposit\n      forms, notes of benefit problems and resolutions, personnel action requests\n      (SF-52), and other miscellaneous documents.\n\n\n\n\nSECURITY OF PERSONNEL DATA FILES--(AUDIT 338)                     AUGUST 13, 2001\n\x0c'